Hackers exploit critical flaws in WordPress plugins; thousands of vulnerable websites

The Thrive Themes developers announced the release of security patches for some flaws in their WordPress plugins and legacy themes, noting that some groups of threat actors could attack some deployments without updates. It should be remembered that Thrive Themes is a set of tools for content management systems (CMS).

The two reported flaws would allow unauthenticated threat actors to upload arbitrary files to vulnerable websites, charging the entire compromised infrastructure. Security patches to fix these flaws were issued on March 12.

Although the flaws have already been fixed, threat actors have deployed a wave of exploit attempts that could affect up to 100,000 WordPress websites that remain un updated: “We’ve detected multiple exploit attempts in real-world scenarios, so we asked users to upgrade to the latest version available,” says Chloe Chamberland, Wordfence’s cybersecurity specialist.

The most severe vulnerability received a score of 10/10 according to the Common Vulnerability Scoring System (CVSS) and resides in Thrive Themes Legacy Themes, a set of tools to compress images automatically during upload, a functionality implemented insecurely.

The second flaw is less severe and resides in Thrive Themes plugins. This flaw exists due to an unsafe implementation of a feature in Thrive Dashboard, which allows integration with the Zapier online automation tool. Failures reside in the following versions of Thrive Themes:

  • Thrive Optimize, earlier than v1.4.13.3
  • Thrive Comments, earlier than v1.4.15.3
  • Thrive Headline Optimizer, earlier than v1.3.7.3
  • Thrive Themes Builder, earlier than v2.2.4
  • Thrive Leads v2.3.9.4
  • Thrive Ultimatum, earlier than v2.3.9.4
  • Thrive Quiz Builder, earlier than v2.3.9.4
  • Thrive Apprentice v2.3.9.4
  • Thrive Architect, earlier than v2.6.7.4
  • Thrive Dashboard, earlier than 2.3.9.3

Chamberland claims that hackers could chain these two vulnerabilities to access affected websites. However, the specialist mentions that at the moment it is not possible to reveal additional details about the attacks, as thousands of website administrators still do not upgrade to secure versions of the plugins.

Moreover, a group of cybersecurity specialists mention that attackers are exploiting the flaw known as “Unauthenticated Option Update” to upload arbitrary files and upload malicious PHP files. “The result of chained exploitation of these flaws allows threat actors to gain backdoor access to vulnerable websites,” she concludes.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.